Posts Tagged ‘EPB’

The popular unc0ver jailbreak has been updated to v4, and this is quite a big deal. The newest update advertises support for the latest A12 and A13 devices running iOS 13 through 13.3. The current version of iOS is 13.3.1. None of the older versions (including iOS 13.3) are signed, but still there are a lot of A12/A12X/A13 devices floating around. Until now, file system and keychain extraction was a big problem. The newest unc0ver jailbreak makes it possible.

The new build is based on an exploit that is quite reliable by itself. However, jailbreaking is more than just a single exploit; a lot of things (that are outside the scope of this article) have to be done. So the new version of a jailbreak is not a silver bullet, and may still fail on many devices; we have tested a few and received mixed results. Still, if the given device can be jailbroken with unc0ver, it means that we can pull all the data from it, down to the last bit.

ICYMI: iPhones and iPads based on A12/A12X/A13 SoC are not vulnerable to checkm8 exploit, and there is no room for BFU acquisition (if the passcode is not known). That means that jailbreaking them using iOS (not bootrom) exploits is the only way to get all the data, at least for now.

Installing the jailbreak

The jailbreak (curren version: 4.0.2) is available as an IPA file (iOS/iPadOS package). There are several methods of installing it, but they usually require signing the IPA using a third-party certificate, which is not very safe and requires approving the certificate on the device, which in turn means that you have allow the device make an Internet connection. This in turn means that the device can be remotely locked or wiped (and even if Find My is disabled, it may sync and modify the data. The only workaround is to set up the network so that that it can only access the Apple’s servers that take care of certificate approval, but this is not not as easy as it sounds.

The better and safer way is to sign the jailbreak IPA with a developer’s certificate using Cydia Impactor. You will need a developer’s account to do that. If you have one, create an Application-specific password first as Cydia Impactor does not natively support 2FA.

Once the IPA is installed, just run it and press [Jailbreak]. That simple.

Well, not quite. First, you have to press [Settings] in the top-right corner and enable the following options:

  • Re(Install) OpenSSH
  • SSH Only
  • Read-Only RootFS

What is it all about? Install OpenSSH (which is not installed by default); do not install Cydia (not only you won’t need it for the purpose of file system extraction, but removing Cydia after you’re done is a separate headache); do not remount the system partition, making the jailbreak rootless, safer, and with a minimum impact. I would not say “forensically sound”. But very close to that.

Note that the new build of unc0ver is not very reliable yet. If it fails, here is what the jailbreak developers recommend:

To everyone having reliability issues. You must follow those conditions carefully to have the best success:
– reboot
– airplane mode
– lock device
– wait 30 seconds (don’t do anything)
– jailbreak

A better exploitation method is required to avoid this. We’ll try our best.

Data acquisition

iOS Forensic Toolkit is all you need. First, do not miss some basic usage tips:

Ready to go? Extract the keychain and the file system first. Just note that with the keychain extraction, you may get error/warning messages like the following:

[+] memory_size: 3962028032
[-] no offsets for iPad8,1 17C54
[e] error reading kernel @0x0
[-] no kernel_call addresses for iPad8,1 17C54 [e] error reading kernel @0x0 Injecting to trust cache...
Actually injecting 1 keys
1 new hashes to inject
Successfully injected [1/1] to trust cache.
[e] error writing kernel @0x0

Just ignore them for now, we will take care on them later; they don’t seem to affect the keychain acquisition.

As for the file system, please note that if you forget to set the appropriate unc0ver options and install OpenSSH later from Cydia, acquisition will probably fail. The OpenSSH client installed alongside with the jailbreak works fine.

Anything else? Almost everything matters. Including whether you connect the iPhone directly or through a USB hub; the type of the cable (USB-A or USB-C to Lightning); and even the brand of the cable (original or not). Do not ask us why, ask Apple. To our experience, you get the best results when using an original Apple USB-A to Lightning cable connected directly (with no hubs); also, it works better on Macs. Yes, even that matters.

Data analysis

For “quick and dirty” analysis, use Elcomsoft Phone Viewer to browse the data acquired by iOS Forensic Toolkit. Do not underestimate this little tool; it does not parse all the data categories, but you will be surprised by the amount of data it can extract from media files (including deleted ones), locations, Apple Pay, Wallet etc. All the most-critical evidence is there.

Need more, including system databases, building the complete Timeline, defining social links between device contacts and extractions in Social Graph, getting comprehensive data analysis with facial recognition and image categorization, advanced data search and detailed reports? Get Oxygen Forensic Detective.

Did you extract the keychain? That’s a gold mine. Not just all the passwords and tokens (for dozens web sites, social networks, mail accounts and more), but also the encryption keys that will allow you to decrypt WhatsApp and Signal conversations. Use Elcomsoft Phone Breaker to browse it in a very convenient way (well, three ways); there you will be also able to export passwords to a wordlist, allowing you to break other files, documents and systems almost instantly.

Today’s smartphones collect overwhelming amounts of data about the user’s daily activities. Smartphones track users’ location and record the number of steps they walked, save pictures and videos they take and every message they send or receive. Users trust smartphones with their passwords and login credentials to social networks, e-commerce and other Web sites. It is hard to imagine one’s daily life without calendars and reminders, notes and browser favorites and many other bits and pieces of information we entrust our smartphones. All of those bits and pieces, and much more, are collected from the iPhone and stored in the cloud. While Apple claims secure encryption for all of the cloud data, the company readily provides some information to the law enforcement when presented with a legal request – but refuses to give away some of the most important bits of data. In this article we’ll cover the types of data that Apple does and does not deliver when served with a government request or while processing the user’s privacy request.

What’s Stored in iCloud

Apple uses iCloud as an all-in-one cloud backup, cloud storage and cloud synchronization solution for the user of iOS, iPasOS and macOS devices. iOS 12 and 13 can store the following types of data in the user’s iCloud account:

iCloud backups

iCloud backups contain a lot of data from the iPhone, which includes device settings and home screen icons, the list of installed apps and individual apps’ private data (if allowed by the app developer).

The content of iCloud backups is mostly exclusive. Many types of data that are synchronized with iCloud will be excluded from cloud backups. For example, if the user enables the iCloud Photo Library, pictures and videos will synchronize to iCloud and will not be included in iCloud backups. The same is true for many other categories. Here’s what Apple says in What does iCloud back up?

Your iPhone, iPad, and iPod touch backup only include information and settings stored on your device. It doesn’t include information already stored in iCloud, like Contacts, Calendars, Bookmarks, Mail, Notes, Voice Memos, shared photos, iCloud Photos, Health data, call history, and files you store in iCloud Drive.

In iOS 13, iCloud backups do not include any of the following:

  • Keychain *
  • Health data
  • Home data
  • iCloud Photos **
  • Messages **
  • Call logs
  • Safari history

* While the keychain is still physically included, records marked as ThisDeviceOnly are encrypted with a device-specific key and can only be restored onto the same physical device they were saved from.

** Photos and Messages are not included if (and only if) the iCloud sync of those categories is not enabled in device settings.

Synchronized data

iOS allows synchronizing many types of data with the user’s iCloud account. While users can enable or disable the sync for some of the data categories (as defined in Change your iCloud feature settings), some other types of data (e.g. the call log) are always synchronized unless the user disables the iCloud Drive feature entirely.

The following types of data are synchronized to iCloud:

  • Photos
  • Safari History & Bookmarks
  • Calendars
  • Contacts
  • Find My (Devices & People)
  • Notes
  • Reminders
  • Siri Shortcuts
  • Voice Memos
  • Wallet passes
  • iCloud Mail
  • Maps
  • Clips
  • Data covered by the iCloud Drive category (e.g. Call logs)

Files

There are two distinct data types that fall under the “Files” category.

The first category includes files the user stores in their iCloud Drive (e.g. by using the iOS Files app). These files are user-accessible, and can be downloaded by using the iCloud Drive app on a Mac or Windows PC.

The second category includes files stored by system apps (e.g. downloaded books and documents in the Books app) and third-party apps (e.g. stand-alone WhatsApp backups, game saves etc.) While large amounts of data may accumulate under this category, users have no direct access to these files. For example, any files stored by third-party apps are only displayed as toggles in the iCloud | Apps section. The only control the user has over these files is the ability to disable sync (and remove stored files) for a certain app.

End-to-end encrypted data

Apple uses end-to-end encryption to secure sensitive types of data such as the users’ passwords, Health data or credit card information. The data is secured with an encryption key derived from some device-specific information and the user’s screen lock passcode. Users must enroll their devices into the trusted circle in order to enable the sharing of end-to-end encrypted data.

The following types of data are covered by end-to-end encryption as per iCloud security overview:

  • Home data
  • Health data (iOS 12 or later) *
  • iCloud Keychain (includes saved accounts and passwords)
  • Payment information
  • QuickType Keyboard learned vocabulary (iOS 11 or later)
  • Screen Time password and data
  • Siri information
  • Wi-Fi passwords
  • Messages in iCloud **

* iOS 11 devices synchronize Health data as a regular data category without using end-to-end encryption. According to Apple, “End-to-end encryption for Health data requires iOS 12 or later and two-factor authentication. Otherwise, your data is still encrypted in storage and transmission but is not encrypted end-to-end. After you turn on two-factor authentication and update iOS, your Health data is migrated to end-to-end encryption.”

** According to Apple, “Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn’t stored by Apple. Since iOS 13, Apple no longer stores Messages in iCloud backups if the user activates Messages in iCloud.

What Apple Provides When Serving Government Requests

Apple discloses certain types of information when serving a valid government request. This data typically includes information that falls into iCloud backups, Synchronized data and Files categories.

When serving government requests, Apple also delivers iCloud backups. End users exercising their rights under the European Data Protection Directive (EDPR) or requesting their personal data via Apple’s Data & Privacy portal do not receive a copy of their iCloud backups.

The following principles apply when Apple serves government requests: https://www.apple.com/privacy/government-information-requests/; of particular interest are the following excerpts:

Apple will notify customers/users when their Apple account information is being sought in response to a valid legal request from government or law enforcement, except where providing notice is explicitly prohibited by the valid legal request, by a court order Apple receives, by applicable law or where Apple, in its sole discretion, believes that providing notice creates a risk of injury or death to an identifiable individual, in situations where the case relates to child endangerment, or where notice is not applicable to the underlying facts of the case, or where Apple reasonably considers that to do so would likely pervert the course of justice or prejudice the administration of justice.

The second category includes files stored by system apps (e.g. downloaded books and documents in the Books app) and third-party apps (e.g. stand-alone WhatsApp backups, game saves etc.) While large amounts of data may accumulate under this category, users have no direct access to these files. For example, any files stored by third-party apps are only displayed as toggles in the iCloud – Apps section. The only control the user has over these files is the ability to disable sync (and remove stored files) for a certain app.

Apple defines information provided to the LE as follows:

iCloud stores content for the services that the subscriber has elected to maintain in the account while the subscriber’s account remains active. Apple does not retain deleted content once it is cleared from Apple’s servers. iCloud content may include email, stored photos, documents, contacts, calendars, bookmarks, Safari browsing history, Maps Search History, Messages and iOS device backups. iOS device backups may include photos and videos in the Camera Roll, device settings, app data, iMessage, Business Chat, SMS, and MMS messages and voicemail. All iCloud content data stored by Apple is encrypted at the location of the server. When third-party vendors are used to store data, Apple never gives them the keys. Apple retains the encryption keys in its U.S. data centres.

While Apple correctly claims that it does not keep deleted content once it is cleared from Apple’s servers, we have found that, in many cases, some content may still be available on Apple servers. As a result, tools such as Elcomsoft Phone Breaker can access and download such content.

Additionally, Apple does not explicitly mention certain types of data such as the phone-to-cloud communication logs. These logs record the phone’s dynamic IP address and store records going back some 28 days.

What Apple Provides When Serving Privacy Requests

Apple is committed to disclosing information to end users according to the European Data Protection Directive (EDPR) or serving a request for personal data submitted via Apple’s Data & Privacy portal. Users can request a download of a copy of their data from Apple apps and services. This, according to Apple, may include purchase or app usage history and the data users store with Apple, such as calendars, photos or documents. Below is the list of information disclosed by Apple:

Note: iCloud backups are only provided when Apple serves government requests. End users exercising their rights under the European Data Protection Directive (EDPR) or requesting their personal data via Apple’s Data & Privacy portal do not receive a copy of their iCloud backups.

What Apple Does Not Provide

Any information that falls under the End-to-end encrypted data category as defined in the iCloud security overview is never disclosed to the law enforcement. End users may only obtain end-to-end encrypted data by setting up a compatible Apple device and typing a screen lock passcode of their past device.

Obtaining End-to-End Encrypted Data

Since Apple refuses to provide legal access to any of the data the company protects with end-to-end encryption, experts must use third-party tools to extract this information from iCloud. Elcomsoft Phone Breaker is one of the few tools on the market that can touch these encrypted categories. Elcomsoft Phone Breaker can extract the iCloud backups, files and synchronized data. In addition, the tool can download and decrypt the following types of end-to-end encrypted data:

  • iCloud Keychain
  • Health
  • Messages in iCloud
  • Screen Time password
  • FileVault2 recovery token

In order to access end-to-end encrypted data, the following information is required:

  1. The user’s Apple ID and password
  2. A valid, non-expired one-time code to pass Two-Factor Authentication
  3. The user’s screen lock passcode or system password to any current or past device enrolled in the trusted circle

More information:

Conclusion

In this article, we described the discrepancy between the data Apple collects from its users and stores on its servers, and the data the company gives away to the law enforcement when serving a government request. Some of the most essential categories are not disclosed, particularly the user’s passwords (iCloud Keychain), text messages and iMessages (Messages in iCloud), the user’s physical activity logs (Health), device usage patterns (Screen Time) and Home data. Most of this information can be only accessed by using third-party tools such as Elcomsoft Phone Breaker, and only if the complete set of authentication credentials (the login and password, 2FA code and screen lock/system password) are known.

Skype synchronizes chats, text messages and files sent and received with the Microsoft Account backend. Accessing Skype conversation histories by performing a forensic analysis of the user’s Microsoft Account is often the fastest and easiest way to obtain valuable evidence. Learn how to use Elcomsoft Phone Breaker to quickly extract the complete conversation histories along with attachments and metadata from the user’s Microsoft Account.

What’s It All About?

With over 1.55 billion accounts and more than 420 million daily users, Skype is one of the world’s biggest instant messaging apps. While there is no lack of competition in the highly crowded market of instant messaging apps, Skype maintains its user base. This feature-rich app is available for all relevant platforms, and is actively developed and frequently updated by Microsoft. Skype is secure (enough) while maintaining transparency to the law enforcement, which makes Skype the only allowed VoIP communication app in countries such as the UAE. The free Skype-to-phone calls included with all Microsoft Office 365 subscriptions help Skype gain popularity among corporate and small office users, while integration with Alexa and Cortana voice assistants makes Skype the tool of choice for voice calls.

(more…)

We’ve just announced a major update to iOS Forensic Toolkit, now supporting the full range of devices that can be exploited with the unpatchable checkra1n jailbreak.  Why is the checkra1n jailbreak so important for the forensic community, and what new opportunities in acquiring Apple devices does it present to forensic experts? We’ll find out what types of data are available on both AFU (after first unlock) and BFU (before first unlock) devices, discuss the possibilities of acquiring locked iPhones, and provide instructions on installing the checkra1n jailbreak. (more…)

The Screen Time passcode (known as the Restrictions passcode in previous versions of iOS) is a separate 4-digit passcode designed to secure changes to the device settings and the user’s Apple ID account and to enforce the Content & Privacy Restrictions. You can add the Screen Time passcode when activating Screen Time on a child’s device or if you want to add an extra layer of security to your own device.

The 4-digit Screen Time passcode is separate to the main screen lock passcode you are using to unlock your device. If you configure Screen Time restrictions to your usage scenarios, you’ll hardly ever need to type the Screen Time password on your device.

Using the Screen Time password can be a great idea if you want to ensure that no one can reset your iTunes backup password, disable Find My iPhone or change your Apple ID password even if they steal your device *and* know your device passcode. On a flip side, there is no official way to recover the Screen Time password if you ever forget it other than resetting the device and setting it up from scratch. Compared to the device screen lock passcode, Screen Time passwords are much easier to forget since you rarely need it.

In this article, we’ll show you how to reveal your iOS 12 Screen Time passcode (or the Restrictions passcode if you’re using iOS 7 through 11) using Elcomsoft Phone Viewer. (more…)

When it comes to mobile forensics, experts are analyzing the smartphone itself with possible access to cloud data. However, extending the search to the user’s desktop and laptop computers may (and possibly will) help accessing information stored both in the physical smartphone and in the cloud. In this article we’ll list all relevant artefacts that can shed light to smartphone data. The information applies to Apple iOS devices as well as smartphones running Google Android.

Mobile Artefacts on Desktops and Laptops

Due to the sheer capacity, computer storage may contain significantly more evidence than a smartphone. However, that would be a different kind of evidence compared to timestamped and geotagged usage data we’ve come to expect from modern smartphones.

How can the user’s PC or Mac help mobile forensic experts? There several types of evidence that can help us retrieve data from the phone or the cloud.

  1. iTunes backups. While this type of evidence is iPhone-specific (or, rather, Apple-specific), a local backup discovered on the user’s computer can become an invaluable source of evidence.
  2. Saved passwords. By instantly extracting passwords stored in the user’s Web browser (Chrome, Edge, IE or Safari), one can build a custom dictionary for breaking encryption. More importantly, one can use stored credentials for signing in to the user’s iCloud or Google Account and performing a cloud extraction.
  3. Email account. An email account can be used to reset a password to the user’s Apple or Google account (with subsequent cloud extraction using the new credentials).
  4. Authentication tokens. These can be used to access synchronized data in the user’s iCloud account (tokens must be used on the user’s computer; on macOS, transferable unrestricted tokens may be extracted). There are also tokens for Google Drive (can be used to access files in the user’s Google Drive account) and Google Account (can be used to extract a lot of data from the user’s Google Account). The computer itself is also an artefact as certain authentication tokens are “pinned” to a particular piece of hardware and cannot be transferred to another device. If the computer is a “trusted” device, it can be used for bypassing two-factor authentication.

(more…)

iOS 13 is on the way. While the new mobile OS is still in beta, so far we have not discovered many revolutionary changes in the security department. At the same time, there are quite a few things forensic specialists will need to know about the new iteration of Apple’s mobile operating system. In this article, we’ll be discussing the changes and their meaning for the mobile forensics.

iCloud backups

We’ve seen several changes to iCloud backups that break third-party tools not designed with iOS 13 in mind. Rest assured we’ve updated our tools to support iOS 13 iCloud backups already. We don’t expect the backup format to change once iOS 13 is officially released, yet we keep an eye on them.

First, Apple has changed the protocol and encryption. There’s nothing major, but those changes were more than enough to effectively block all third-party tools without explicit support for iOS 13.

Second, cloud backups (at least in the current beta) now contain pretty much the same set of info as unencrypted local backups. Particularly missing from iCloud backups made with iOS 13 devices are call logs and Safari history. This information is now stored exclusively as “synchronized data”, which makes it even more important for the investigator to extract synced evidence in addition to backups. Interestingly, nothing was changed about synced data; you can still use the same tools and sign in with either Apple ID/password/2FA or authentication tokens. (more…)

Today’s smartphones and wearable devices collect overwhelming amounts of data about the user’s health. Health information including the user’s daily activities, workouts, medical conditions, body measurements and many other types of information is undoubtedly one of the most sensitive types of data. Yet, smartphone users are lenient to trust this highly sensitive information to other parties. In this research, we’ll figure out how Apple and Google as two major mobile OS manufacturers collect, store, process and secure health data. We’ll analyze Apple Health and Google Fit, research what information they store in the cloud, learn how to extract the data. We’ll also analyze how both companies secure health information and how much of that data is available to third parties.

Apple Health: the All-in-One Health App

The Apple Health app made its appearance in 2014 with the release of iOS 8. Since then, Apple Health is pre-installed on all iPhones.

Apple Health keeps working in background, collecting information about the user’s activities using the phone’s low-energy sensors.

In addition to low-energy sensors built into modern iPhone devices, Apple offers a range of companion devices that can collect additional information about the user’s health and activities. This information may include heart rate measurements, frequent and precise samples of location information (GPS), as well as specific data (fall detection, ECG). (more…)

In Apple’s world, the keychain is one of the core and most secure components of macOS, iOS and its derivatives such as watchOS and tvOS. The keychain is intended to keep the user’s most valuable secrets securely protected. This includes protection for authentication tokens, encryption keys, credit card data and a lot more. End users are mostly familiar with one particular feature of the keychain: the ability to store all kinds of passwords. This includes passwords to Web sites (Safari and third-party Web browsers), mail accounts, social networks, instant messengers, bank accounts and just about everything else. Some records (such as Wi-Fi passwords) are “system-wide”, while other records can be only accessed by their respective apps. iOS 12 further develops password auto-fill, allowing users to utilize passwords they stored in Safari in many third-party apps.

If one can access information saved in the keychain, one can then gain the keys to everything managed by the device owner from their online accounts to banking data, online shopping, social life and much more.

Apple offers comprehensive documentation for developers on keychain services, and provides additional information in iOS Security Guide.

In this article we assembled information about all existing methods for accessing and decrypting the keychain secrets.

(more…)

Apple has a wonderfully integrated ecosystem. Apple computers, tablets and phones conveniently synchronize information such as passwords, Web browsing history, contacts and call logs across all of the user’s devices. This synchronization mechanism uses iCloud to sync and store information. The syncing mechanism works independently from iOS system backups that are also stored in iCloud (or iCloud Drive). As opposed to daily iCloud backups, synchronized data is updated and propagated across devices in almost real time. Extracting this information can be invaluable for investigations as it provides access to the most up to date information about the user, their activities and whereabouts.

What exactly is synced through iCloud? The screen shot above lists all options available in iOS 11. As you can see, the following types of data are (or can be) synced across Apple devices:

  • Photos (iCloud Photo Library)
  • Mail (iCloud mail only)
  • Contacts, Calendars and Reminders
  • Safari (browsing history, bookmarks and tabs open on other devices)
  • Game Center (profiles, achievements and game progress)
  • Siri (requests, settings)
  • Keychain (iCloud Keychain stores passwords and forms from Safari, iOS system, Apple and some third-party apps, but not Google Chrome)
  • iCloud backups (up to last 3 copies per device, created daily while charging)
  • iBooks, Pages, Numbers and Keynote (e-books, PDF files, documents)
  • Maps (user’s search history, routes and places)
  • Wallet
  • Wi-Fi

(more…)